Breach in security system of estonian ID cards causes concern
On August 30, 2017, an international team of researchers notified the Estonian government of a security vulnerability of the ID cards issued to around half of the Estonian population. The potential risk concerns the ID cards issued since October 2014 (including cards issued to e-residents), i.e. about 750,000 cards. In this regard, the Department of the Estonian Information System Authority has taken temporary measures to restrict some features of the ID cards of this period of release.
Since there were no real cases of unauthorized use of the ID cards, today the vulnerability is theoretical. A security breach was discovered in connection with the advancement of the “e-Estonia” national initiative, designed to bring citizens into the digital ecosystem of public and private services built upon the security and authentication. The Estonian ID card unifies access to a host of services.
Using this card, the citizens can carry out banking operations, vote, file their tax returns, apply for state benefits, apply to serve in the armed forces and fulfil many other actions remotely. Business owners can use the ID cards to file their annual reports, apply for licenses, and so on, government officials - to encrypt documents, review and approve contracts and permits, submit information requests to law enforcement agencies. Digital authentication is convenient and saves time and money for government, public and business services. However, in order to function effectively, cybersecurity and confidentiality should be at the forefront.
Commenting on the current situation, the CEO of the Department, Taimar Peterkop assured that the Estonian experts have already developed the primary solutions to reduce risks and they are doing their best to ensure the security of the ID cards. So, the database of the public keys of the ID card has been closed, and it is impossible to use the vulnerability to attack the card without access to the public key. The Prime Minister of Estonia Jüri Ratas noted that this incident will not entail a change of the course for an e-state.